From 534531663ec78dd4a130ae1aa48950cd2ed16c91 Mon Sep 17 00:00:00 2001 From: Tim Haines Date: Wed, 3 Sep 2008 00:11:07 +1200 Subject: [PATCH] Fix form_authenticity_token so it uses auth token from cookie_session when cookie_store used --- .../request_forgery_protection.rb | 6 ++-- .../controller/request_forgery_protection_test.rb | 23 +++++++++++++++++++- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb index 05a6d8b..05b6153 100644 --- a/actionpack/lib/action_controller/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/request_forgery_protection.rb @@ -107,10 +107,10 @@ module ActionController #:nodoc: def form_authenticity_token @form_authenticity_token ||= if !session.respond_to?(:session_id) raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." - elsif request_forgery_protection_options[:secret] - authenticity_token_from_session_id - elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) + elsif ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] == CGI::Session::CookieStore && session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) authenticity_token_from_cookie_session + elsif request_forgery_protection_options[:secret] + authenticity_token_from_session_id else raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index f7adaa7..6a27d78 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -50,6 +50,11 @@ class CsrfCookieMonsterController < ActionController::Base protect_from_forgery :only => :index end +class CsrfCookieMonsterControllerWithAccidentalSecret < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery :only => :index, :secret => 'abc' +end + # sessions are turned off class SessionOffController < ActionController::Base protect_from_forgery :secret => 'foobar' @@ -233,7 +238,7 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase end @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') ActionController::Base.request_forgery_protection_token = :authenticity_token - end + end end class RequestForgeryProtectionWithoutSecretControllerTest < Test::Unit::TestCase @@ -271,6 +276,22 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase end end +class CsrfCookieMonsterControllerWithAccidentalSecretTest < Test::Unit::TestCase + include RequestForgeryProtectionTests + def setup + @controller = CsrfCookieMonsterControllerWithAccidentalSecret.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + class << @request.session + attr_accessor :dbman + end + # simulate a cookie session store + @request.session.dbman = FakeSessionDbMan + @token = Digest::SHA1.hexdigest("secure") + ActionController::Base.request_forgery_protection_token = :authenticity_token + end +end + class FreeCookieControllerTest < Test::Unit::TestCase def setup @controller = FreeCookieController.new -- 1.5.6.1